Merge branch 'main' into feature/add-service-ldap-options

.github/actions/deploy-cluster/action.yml

@@ -0,0 +1,27 @@
+name: Deploy a CNPG Cluster
+description: Deploys a CNPG Cluster
+inputs:
+  namespace:
+    description: 'The name of the namespace where the Cluster will be deployed'
+    required: false
+    default: 'default'
+runs:
+  using: composite
+  steps:
+    - name: Deploy a cluster
+      shell: bash
+      env:
+        NAMESPACE: ${{ inputs.namespace }}
+      run: |
+        cat <<EOF | kubectl apply -f -
+        # Example of PostgreSQL cluster
+        apiVersion: postgresql.cnpg.io/v1
+        kind: Cluster
+        metadata:
+          name: cluster-example
+          namespace: $NAMESPACE
+        spec:
+          instances: 3
+          storage:
+            size: 1Gi
+        EOF

.github/actions/deploy-operator/action.yml

@@ -1,16 +1,29 @@
 name: Deploy the CNPG Operator
 description: Deploys the CNPG Operator to a Kubernetes cluster
+inputs:
+  namespace:
+    description: 'The name of the namespace where the operator will be deployed'
+    required: false
+    default: 'cnpg-system'
+  cluster-wide:
+    description: 'If the operator should be deployed cluster-wide or in single-namespace mode'
+    required: false
+    default: 'true'
 runs:
   using: composite
   steps:
     - name: Deploy the operator
       shell: bash
+      env:
+        NAMESPACE: ${{ inputs.namespace }}
+        CLUSTER_WIDE: ${{ inputs.cluster-wide }}
       run:
         helm dependency update charts/cloudnative-pg
 
         helm upgrade
         --install 
-        --namespace cnpg-system
+        --namespace $NAMESPACE
         --create-namespace
+        --set config.clusterWide=$CLUSTER_WIDE
         --wait
         cnpg charts/cloudnative-pg

.github/actions/setup-kind/action.yml

@@ -12,9 +12,9 @@ runs:
   steps:
     - id: helm
       name: Set up Helm
-      uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
       with:
-        version: v3.6.2
+        version: v3.16.2
 
     - id: kubectl
       name: Install kubectl

.github/actions/verify-cluster-ready/action.yml

@@ -5,6 +5,10 @@ inputs:
     description: The name of the cluster to verify
     required: true
     default: database-cluster
+  namespace:
+    description: 'The name of the namespace where the Cluster is deployed'
+    required: false
+    default: 'default'
   ready-instances:
     description: The amount of ready instances to wait for
     required: true
@@ -15,15 +19,19 @@ runs:
   steps:
     - name: Wait for the cluster to become ready
       shell: bash
+      env:
+        CLUSTER_NAME: ${{ inputs.cluster-name }}
+        NAMESPACE: ${{ inputs.namespace }}
+        EXPECTED_READY_INSTANCES: ${{ inputs.ready-instances }}
       run: |
         ITER=0
         while true; do
           if [[ $ITER -ge 300 ]]; then
             echo "Cluster not ready"
             exit 1
           fi
-          READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io ${INPUT_CLUSTER_NAME} -o jsonpath='{.status.readyInstances}')
-          if [[ "$READY_INSTANCES" == ${INPUT_READY_INSTANCES} ]]; then
+          READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io $CLUSTER_NAME -n $NAMESPACE -o jsonpath='{.status.readyInstances}')
+          if [[ "$READY_INSTANCES" == "$EXPECTED_READY_INSTANCES" ]]; then
             echo "Cluster up and running"
             break
           fi

.github/workflows/lint.yml

@@ -14,16 +14,16 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
-          version: v3.4.0
+          version: v3.16.2
 
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: 3.12
 

.github/workflows/release-pr.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Create Pull Request
         id: create-pr
         env:

.github/workflows/release-publish.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # important for fetching all history to run comparison against
 
@@ -35,7 +35,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
-          version: v3.14.1
+          version: v3.16.2
 
       - name: Add chart dependencies
         run: |

.github/workflows/tests-cluster-chainsaw.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 

.github/workflows/tests-operator.yml

@@ -7,10 +7,11 @@ on:
 
 jobs:
   deploy_operator:
+    name: Deploy the operator in cluster-wide mode
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -21,21 +22,52 @@ jobs:
         uses: ./.github/actions/deploy-operator
 
       - name: Deploy a cluster
-        run: |
-          cat <<EOF | kubectl apply -f -
-          # Example of PostgreSQL cluster
-          apiVersion: postgresql.cnpg.io/v1
-          kind: Cluster
-          metadata:
-            name: cluster-example
-          spec:
-            instances: 3
-            storage:
-             size: 1Gi
-          EOF
+        uses: ./.github/actions/deploy-cluster
 
       - name: Verify that the cluster is ready
         uses: ./.github/actions/verify-cluster-ready
         with:
           cluster-name: cluster-example
-          ready-instances: 3
+          ready-instances: '3'
+
+  deploy_operator_single_namespace:
+    name: Deploy the operator in single-namespace mode
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Setup kind
+        uses: ./.github/actions/setup-kind
+
+      - name: Deploy the operator
+        uses: ./.github/actions/deploy-operator
+        with:
+          namespace: 'single-install'
+          cluster-wide: 'false'
+
+      - name: Deploy a cluster
+        uses: ./.github/actions/deploy-cluster
+        with:
+          namespace: 'single-install'
+
+      - name: Verify that the cluster is ready
+        uses: ./.github/actions/verify-cluster-ready
+        with:
+          namespace: 'single-install'
+          cluster-name: 'cluster-example'
+          ready-instances: '3'
+
+      - name: Create a separate namespace
+        run: kubectl create ns test-ignore
+
+      - name: Deploy a cluster in 'test-ignore'
+        uses: ./.github/actions/deploy-cluster
+        with:
+          namespace: 'test-ignore'
+
+      - name: Verify the cluster in 'test-ignore' is being ignored
+        run: |
+          kubectl -n test-ignore get pods 2>&1 >/dev/null | grep 'No resources found'

CODEOWNERS

@@ -2,6 +2,6 @@
 # responsible for code in a repository. For details, please refer to
 # https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/about-code-owners
 
-*               @fcanovai @gbartolini @leonardoce @mnencia @phisco @sxd
+*               @fcanovai @gbartolini @leonardoce @mnencia @phisco @sxd @itay-grudev
 /.github        @fcanovai @gbartolini @leonardoce @mnencia @phisco @sxd @itay-grudev
 /charts/cluster @itay-grudev

README.md

@@ -24,6 +24,30 @@ helm upgrade --install cnpg \
   cnpg/cloudnative-pg
 ```
 
+#### Single namespace installation
+
+It is possible to limit the operator's capabilities to solely the namespace in
+which it has been installed. With this restriction, the cluster-level
+permissions required by the operator will be substantially reduced, and
+the security profile of the installation will be enhanced.
+
+You can install the operator in single-namespace mode by setting the
+`config.clusterWide` flag to false, as in the following example:
+
+```console
+helm upgrade --install cnpg \
+  --namespace cnpg-system \
+  --create-namespace \
+  --set config.clusterWide=false \
+  cnpg/cloudnative-pg
+```
+
+**IMPORTANT**: the single-namespace installation mode can't coexist
+with the cluster-wide operator. Otherwise there would be collisions when
+managing the resources in the namespace watched by the single-namespace
+operator.
+It is up to the user to ensure there is no collision between operators.
+
 Refer to the [Operator Chart documentation](charts/cloudnative-pg/README.md) for advanced configuration and monitoring.
 
 ## Cluster chart

charts/cloudnative-pg/Chart.yaml

@@ -18,12 +18,12 @@ name: cloudnative-pg
 description: CloudNativePG Operator Helm Chart
 icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
 type: application
-version: "0.22.0"
+version: "0.22.1"
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning, they should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.24.0"
+appVersion: "1.24.1"
 sources:
   - https://github.com/cloudnative-pg/charts
 keywords:

charts/cloudnative-pg/README.md

@@ -1,6 +1,6 @@
 # cloudnative-pg
 
-![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.24.0](https://img.shields.io/badge/AppVersion-1.24.0-informational?style=flat-square)
+![Version: 0.22.1](https://img.shields.io/badge/Version-0.22.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.24.1](https://img.shields.io/badge/AppVersion-1.24.1-informational?style=flat-square)
 
 CloudNativePG Operator Helm Chart
 
@@ -30,7 +30,8 @@ CloudNativePG Operator Helm Chart
 | additionalEnv | list | `[]` | Array containing extra environment variables which can be templated. For example:  - name: RELEASE_NAME    value: "{{ .Release.Name }}"  - name: MY_VAR    value: "mySpecialKey" |
 | affinity | object | `{}` | Affinity for the operator to be installed. |
 | commonAnnotations | object | `{}` | Annotations to be added to all other resources. |
-| config | object | `{"create":true,"data":{},"name":"cnpg-controller-manager-config","secret":false}` | Operator configuration. |
+| config | object | `{"clusterWide":true,"create":true,"data":{},"name":"cnpg-controller-manager-config","secret":false}` | Operator configuration. |
+| config.clusterWide | bool | `true` | This option determines if the operator is responsible for observing events across the entire Kubernetes cluster or if its focus should be narrowed down to the specific namespace within which it has been deployed. |
 | config.create | bool | `true` | Specifies whether the secret should be created. |
 | config.data | object | `{}` | The content of the configmap/secret, see https://cloudnative-pg.io/documentation/current/operator_conf/#available-options for all the available options. |
 | config.name | string | `"cnpg-controller-manager-config"` | The name of the configmap/secret to use. |
@@ -67,6 +68,8 @@ CloudNativePG Operator Helm Chart
 | rbac.create | bool | `true` | Specifies whether ClusterRole and ClusterRoleBinding should be created. |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
+| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
+| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
 | service.name | string | `"cnpg-webhook-service"` | DO NOT CHANGE THE SERVICE NAME as it is currently used to generate the certificate and can not be configured |
 | service.port | int | `443` |  |
 | service.type | string | `"ClusterIP"` |  |

charts/cloudnative-pg/templates/NOTES.txt

@@ -1,18 +1,21 @@
 
 CloudNativePG operator should be installed in namespace "{{ .Release.Namespace }}".
-You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows:
+You can now create a PostgreSQL cluster with 3 nodes as follows:
 
 cat <<EOF | kubectl apply -f -
 # Example of PostgreSQL cluster
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
   name: cluster-example
+  {{if not .Values.config.clusterWide  -}}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
 spec:
   instances: 3
   storage:
     size: 1Gi
 EOF
 
-kubectl get cluster
+kubectl get -A cluster